Fighting with brute force attack on email service

Question

I am facing an issue and need your expert advice. I get constant brute force attacks warnings in directadmin from IPs in Russia & China etc etc.

The messages are something like

Feb 27 04:31:15 host1 dovecot[2387]: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<postmaster@domain.com>, method=PLAIN, rip=194.63.XXX.XXX, lip=XX.XX.99.210, session=<aC8bgAkQ2ADCP45l>
Feb 27 04:31:05 host1 exim[2385]: exim: Aborted login (auth failed, 10 attempts in 20 secs): user=<postmaster@domain.com>, method=PLAIN, rip=194.63.XXX.XXX, lip=XX.XX.99.210, session=<aC8bgAkQ2ADCP45l>

It is not a commercial hosting so only 4-5 different ip addresses actually logs into the email clients to check emails.

So I have decided to block all ip addresses accessing port 25, 465, 587 by putting this in the /etc/csf/csf.deny

tcp:in:d=25:s=0.0.0.0/0
tcp:in:d=465:s=0.0.0.0/0
tcp:in:d=587:s=0.0.0.0/0

And i allowed my ip addresses in the /etc/csf/csf.allow Is this a good idea? Can still outside world email me? Port 25 is blocked?

tcp:in:d=25:s=124.12.0.0/20
tcp:in:d=465:s=124.12.0.0/20
tcp:in:d=587:s=124.12.0.0/20

Please advise.

Thank you so much.

Server: Debian GNU/Linux 7.5 x86_64 / Direct Admin / CSF Firewall

Answer 1

A good solution would be to use Fail2ban.

Fail2ban is a Daemon to ban hosts that cause multiple authentication errors

And it uses iptables to do the work.

By default it won't block SMTP attacks, but you can edit its config file /etc/fail2ban/jail.local like this:

[...]

[sendmail]

enabled  = true
port     = smtp,ssmtp
filter   = sendmail
logpath  = /var/log/mail.log
bantime  = 28800
action   = iptables-multiport[name=sendmail, port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]

Just make sure paths and ports are correct with your config.

Answer 2

Iptables has the ability to inspect the contents of a packet. With that you can look for authentication errors and add them to a ban list. Our mail server is under a constant dictionary attack from a number of sources and this has rate limited that from 10 per minute to one every 5 minutes or do. This is an abbreviated sample, the full script is at http://www.wiseoldcat.com/?q=node/32. The format is the CentOS/Redhat /etc/sysconfig/iptables or iptables-save. This approach could be adapted for imap and pop

:SMTP_Check_Auth_OUTPUT - [0:0]
:SMTP_Check_Auth_INPUT - [0:0]
....
# add jumps for NEW connections to our filters on the INPUT chain for the SMTP and SUBMISSION ports
-A INPUT -p tcp -m multiport --dports 25,587 -m state --state NEW -j SMTP_Check_Auth_INPUT
....
# Add the authentication filter on the OUTPUT side
-A OUTPUT -p tcp -m multiport --sports 25,587 -m state --state ESTABLISHED,RELATED -j SMTP_Check_Auth_OUTPUT
....
# one of our netblocks so RETURN
-A SMTP_Check_Auth_OUTPUT -d 123.123.123.0/24 -j RETURN
# if the contents packet do NOT have the authentication error string then RETURN - customize for your mailserver
-A SMTP_Check_Auth_OUTPUT -p tcp -m string --to 120 --algo kmp --string ! "535 5.7.0 authentication failed" -j RETURN
# set an entry in the recent table
-A SMTP_Check_Auth_OUTPUT -p tcp -m recent --name SMTP_AUTH_ERROR --set --rdest
-A SMTP_Check_Auth_OUTPUT -j LOG --log-prefix "SMTP_AUTH_FAIL: Strike: "
....
# Add the target for the INPUT side
# we are here because this is a new connection - if there hasn't been 3 hits in 20 minutes then RETURN - adjust to your needs
-A SMTP_Check_Auth_INPUT -m recent ! --rcheck --name SMTP_AUTH_ERROR --seconds 1200 --hitcount 3 --rsource -j RETURN
# tag it again
-A SMTP_Check_Auth_INPUT -p tcp -m recent --name SMTP_AUTH_ERROR --set --rsource
# and REJECT the connection
-A SMTP_Check_Auth_INPUT -j REJECT --reject-with icmp-port-unreachable